Annual State of Endpoint Risk survey respondents report an increase in IT operating expense with malware being the largest contributor

Scottsdale, AZ, Dec. 6, 2010

A constantly shifting IT risk environment, led by increasingly sophisticated malware attack vectors that focus on exploiting third-party and web-based application vulnerabilities, has left traditional endpoint security approaches behind. This, coupled with ever more powerful, portable, and connected computing platforms has resulted in organizations feeling less secure today than they did one year ago, according to the State of Endpoint Risk, a new Ponemon Institute study commissioned by Lumension®, the global leader in endpoint management and security.

After an examination of how these new challenges impact IT operating resources as well as IT’s ability to secure networks, this year’s study found that many organizations do not have the right arsenal of technologies in place to most effectively reduce endpoint risk. As a result, organizations are wasting valuable time, money and resources while continuing to expose their IT environment to unnecessary risks.

The cost of protecting an organization’s most valuable assets living on the endpoint is both a necessary evil but a hindrance, too. According to State of Endpoint Risk survey respondents, 48% of respondents report an increase in IT operating expenses and a main driver, says 59% of those respondents, is malware. All told, IT organizations are now faced with a very vulnerable endpoint. And, they have limited visibility into the endpoint to truly and effectively mitigate the risk of malware and data loss. Yet, respondents indicated a lack of effective technology to support policies already in place.

State of Endpoint Risk Key Findings:

Reducing endpoint risk resides largely at the application layer, yet most respondents do not actively manage the applications that live on their networks. One-third of respondents admit to putting absolutely no restrictions on which applications run on their network while another one-third employ application policies but do not actively enforce them. This lax approach to application control is a gaping hole for intruders who can, and will, easily leverage these weaknesses in the endpoint to find entry-points into the network.

The top 5 applications that concern IT the most when it comes to security are those that pose the greatest increase in vulnerabilities and IT risk. They include:

3rd party applications outside of Microsoft (58%)

Adobe (54%)

Google Docs (46%)

Microsoft OS/applications (44%)

Oracle applications (39%)

Preventing applications from being installed (55%) or executed (47%) on the endpoint, especially Web 2.0 applications, is a top challenge for IT security managers. Nearly two-thirds (59%) of those surveyed responded to that effect, citing that the management – and even the knowledge and visibility into which web 2.0 applications are running on their network – is a major challenge today.

Despite this influx of new technologies to better-address mounting endpoint risks, organizations are mainly sticking with the “tried and true” technologies even though more effective technology solutions exist today. This gap was most notable vis-à-vis the following technologies:

Vulnerability assessment (used by 51% but considered effective by 70%);

Application whitelisting (used by only 29% but considered effective by 44%);

Increasingly Sophisticated Malware in 2011: The majority of respondents (64%) acknowledged that their networks are not more secure than last year. According to the State of Endpoint Risk study, a main factor towards this feeling of insecurity is a severe lack of visibility into the endpoint, especially from an application perspective. Not having that visibility, paired with seemingly ineffective technology solutions, is an expensive problem, one only exacerbated by a lack of budget that respondents also reported in this year’s study. The following data points underscore the threat landscape both today and anticipated landscape shifts heading into 2011:

43% of respondents noting a dramatic uptick in malware in 2010 – and increasingly sophisticated/hard to detect malware, too.

98% organizations experienced a virus or malware-based network intrusion; and over one-third (35%) have experienced 50 malware attempts in just a one-month span. This equates to more than one intrusion per day.

Mobile/remote workers (50%), PC desktop/laptop vulnerabilities (48%), and the introduction of third-party applications onto the network (39%) are the greatest areas of endpoint risk currently. This is a shift from last year where endpoint security concerns were mainly focused on removable media and data center risks.

An increasing volume of cyber attacks and malware incidents (61%), negligent insiders (50%), and cloud computing (internal and third party providers; 49%) are the top three security threats anticipated in 2011.

“This years’ State of Endpoint Risk survey underscores the dramatic shifts we’re experiencing within today’s threat landscape. We’re seeing a clear transition in endpoint risk away from servers and operating systems and towards third-party and browser-based applications than ever before. With an increase in mobility, storage capacity, and connectivity trends impacting the modern IT environment, IT must adapt their current approaches to endpoint security in order to effectively protect sensitive data while minimizing IT risk and lowering overall total-cost-of-ownership costs.”

“The bottom line in all of this? Malware is not going away anytime soon. Technologies exist that will help organizations better-manage the malware threat in a much smarter, more cost-efficient and effective way than it’s being done currently. This should be a major focus for organization as we head into the new year.”

Larry Ponemon, Chairman and Founder, The Ponemon Institute

“The State of Endpoint Risk survey uncovered some interesting truths to how organizations are faring in the battle to protect their endpoints. Probably most surprising this year is that companies are doing themselves no favors by not using the technologies they themselves have identified as most effective at combating endpoint security risks and threats.”

“Hand in hand with that is a need for IT security pros to convince senior management of the perils of ignoring the threats of this new information risk environment. There is a real need to put the appropriate technologies and personnel in place to best-position organizations of all sizes and in all industries for success in the ongoing battle to ward off cyberthreats as we head into 2011.”

Patrick J. Clawson, Chairman & CEO, Lumension

Today’s threat landscape is clearly in an evolutionary period. No longer are we seeing brute-force attacks but smaller, more sophisticated and advanced persistent threats. Yet, organizations are still treating the problem with an old remedy. Instead, organizations must adapt – which means a change in mindset, a shift away from ‘staying the course’ with technologies that are no longer effective at combating the growing risks facing the endpoint today. For example, a technology approach that includes application whitelisting housed on an endpoint management and security suite and coupled with traditional approaches like antivirus, is a more prescriptive approach to addressing endpoint risk.”

“It’s this revised remedy that can better-arm IT to more effectively address growing and changing endpoint risks. In tandem, this type of approach can reduce overall complexity at the endpoint and, hopefully, improve and reduce overall IT operating expense, which is clearly a major pain-point for organizations currently, as the State of the Endpoint study confirmed for us. However, this requires an open mind regarding less ‘traditional’ approaches to endpoint security, and is something we’re actively recommending and advocating for amongst our customer base as we head into 2011.”

Methodology
The State of Endpoint Risk 2010 was derived from a survey of 782 IT and IT security practitioners within the U.S. and spanning key industries including financial services, public sector and healthcare, all of whom have active responsibility for their data security and compliance efforts.

Lumension Security, Inc., a global leader in endpoint management and security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, Antivirus and Reporting and Compliance offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Virginia, Texas, Utah, Florida, Ireland, Luxembourg, the United Kingdom, Australia, and Singapore. Lumension: IT Secured. Success Optimized.™ More information can be found at lumension.com.

Lumension, the Lumension logo, are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.